The ability to access and download the GlobalProtect software without portal authentication

• Users are able to download the GlobalProtect application from the Portal without authentication.
• There is no option to turn off this page.
• The page loads even when the portal login page is disabled. 

• GlobalProtect Portal
• Supported PAN-OS
• GlobalProtect App

• This is by design and is not considered a vulnerability as it would not cause any specific information leak via the GlobalProtect download page.
• This page only presents the GlobalProtect application published by Palo Alto Networks. 

Follow the steps below to deny access to the GlobalProtect download page and block any attempts to download the application:

1. Under Objects> Custom Objects> URL Category create a custom URL category and add two URLs "PortalAddress/global-protect/getsoftwarepage.esp" and "PortalAddress/global-protect/getmsi.esp" as demonstrated in the screenshot below: 

2. Under "Objects> Security Profiles> URL filtering> Custom URL Categories" set the category "BlockCustomURL" with action "block". 

3. Select the Security Policy that allows access to the Portal address and attach the URL filtering profile under "Policies> Security> Actions> Profile Settings> Profile Type> Profiles> URL filtering".
4. Commit the changes. 
5. Test access to "https://PortalAddress/global-protect/getsoftwarepage.esp" and "PortalAddress/global-protect/getmsi.esp" through the browser.